It’s amazing how ingenious cybercriminals are, but the victims also need to take some responsibility for falling for these ruses, especially when the victim is a business that has failed to train its employees in cybersecurity measures.
The stuff of science fiction is here: Who would have ever thought there’d ever be a such thing as criminals remotely stealing someone’s personal information (word processing files, any kind of image, etc.), scrambling it up via encryption, then demanding ransom in exchange for the remote “key” to “unlock” the encryption?
Payment is remotely by Bitcoin which can’t be traced. The payment is usually at least $500 and escalates the longer the victim waits.
The virus that poisons a computer to steal someone’s files is called ransomware, a type of malicious software (in this case, “Cryptolocker” and “CryptoDefense”). But how does this virus get into your computer in the first place?
It’s called social engineering: tricking users into allowing their computer to be infected, or duping them into revealing personal information.
Often, a phishing e-mail is used: It has an attention-getting subject line that entices the user to open it. The message contains a link. They click the link, and a virus is downloaded. Or, the link takes them to a site which then downloads the virus.
These e-mails, sometimes designed to look like they’re from the company the user works for, often go to workplace computers where employees get tricked. These kinds of attacks are lucrative to their instigators.
If you wanted to notify a relative or friend that a mutually dear person has left this earth…would you send an e-mail or phone that person? Seems to me that heavy news like this would warrant a phone call and voice interaction.
So if you ever receive an e-mail from a funeral home indicating that a dear one to you has passed, and to click a link to the funeral home to learn details about the burial ceremony…consider this a scam.
Because if you click the funeral site link, you’ll either get redirected to the crook’s server because he’s already created an infected funeral looking site ahead of time. This is where a virus will be downloaded to your computer.
Vishing Credit Card Scam
You get a phone call. An automated voice identifies itself as your credit card company (they’ll say “credit card company” rather than the specific name). It then says something like, “We are investigating what appears to be a fraudulent charge on your card.”
They’ll ask if you made a particular purchase lately, then to hit 1 for yes and 2 for no. If you hit no, you’re told to enter your credit card number, three-digit security code and expiration date. You just fed a thief all he (or she) needs in order to go on an online or on-phone spending spree.
Ever order something via phone and all you had to give up was the credit card number, expiration date and security code? This trick is also aimed at employees. The calls come from an automated machine that generates thousands of these calls.
Healthcare Record Scam
You receive an e-mail that appears to be from your employer or healthcare provider that you get through work. This may come to you on your home computer or the one you use at work. The e-mail is an announcement of some enticing change in your healthcare plan.
The message may reference something personal about you such as marital status, income or number of dependents. When enough of these e-mails are pumped out with automated software, the personal situation of many recipients will square off with those identified in the e-mail, such as income and number of children. The user is then lured into clicking a link in the e-mail, and once that click is made…malware is released.
Facebook Company Group Scam
Scammers will scan Facebook and LinkedIn seeking out employees of a particular company and create a group. This groups purpose is for information gathering so scammers can penetrate a company’s facility or website. Once all the groups member join, the scammers will pose various innocuous questions and start palatable discussions that make everyone feel comfortable.
Over time scammers will direct these discussions to leak bits of data that allow criminals to enter a facility under a stolen identity or to contact specific employees who have advanced access to computer systems in an attempt to get usernames and passwords.
Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.